Information & Ethics Committee on June 13th, 2017

Are you relating to the adequacy finding?

Okay.

Here we don't have too much novelty. The GDPR does not mention the artificial intelligence, but there is a provision which is in continuity with the current directive. It provides for this article 22, which provides for a line of continuity. The data subject will continuing having a right not to be subject to a decision based solely on automatic processes, including but not totally providing...when the decision is likely to produce legal effects concerning him or her, or with a view to significantly affecting him or her. There are some exceptions in the case of the necessity relating to a contract between the data subject and the data controller, explicit consent by the data subjects. What is needed is that in case of a derogation, some suitable measures be listed by the legislator to safeguard the data subjects and rights.

We see a line of continuity in having a human evaluation as part of the process. We recognize the ability of the controller to build largely on an automated individual decision-making process. However, the question is on what is at the end, how the decision is placed, and to which extent there is a human contribution. This is a specific right. The wording is “shall”, and therefore now the question is to what extent we may build on safeguards.

Let me say that with regard to artificial intelligence, we have posted on our website an important background document for the last conference of all data protection and privacy and information commissioners from all around the world—a meeting in Marrakech—with a view to going beyond the GDPR being part of the artificial intelligence debate by the data protection people, and a list of questions for a more synchronized approach by DPS. In case you fail to identify the web page, we can provide you with the relevant link.

They are. Let me speak about my background.

I spent 12 years in a national data collection authority as a secretary general in my country of origin. I can say that awareness and data protection in privacy culture is more than essential. You may be the best one in terms of legal analysis, but if you fail in making people aware of their rights, if you fail in being engaged with the controllers in the process, you are not on the right track.

One of the novelties of the GDPR relates to the adoption of guidelines. We've replaced 25 out of 47 legal provisions, so the GDPR is speaking about new legislation, implementing delegated acts by the European Commission with flexible guidance from controllers. They are to be adopted on the basis of an inclusive process, in active consultation with data controllers. The decision-making process by the European Data Protection Board will be very different from the one currently followed by 29 working parties.

Recently, I also started an exercise to make more accessible data protection. It is extremely complicated. It's not simple from a legal viewpoint. It's horizontal. It relates to many sectors. You should make this principle digestible in practice. There should be not only warnings, but also, on the basis of your experience, proactive exercises to explain how they may be applied in practice.

By May of next year, together with the commission, we will take part in a European Union campaign to make people aware of the new data subject's rights, but also to speak more directly to data controllers and processors to make data protection digital. I would like to focus more on making this principle effective in practice, much less “Pater Noster, Ave, and Gloria,” and more substantive principles in practice.

I'm not an expert on PIPEDA, but I understand that it applies only to private sector organizations. Initially, the act applies only to organizations that are regulated at the federal level, but also to the disclosure of personal information by certain organizations. Finally, I understand that the act also applies to all businesses in the territories as they are deemed to be federal work.

One question relates to this. What if a province passes privacy legislation, even if it is substantially similar? Second, what about government organizations? Would you like to work in a perspective to simply follow the line and remain in the specific context of the private sector organizations, or is there any interest to make the adequacy finding larger by considering other areas as well?

I think we will pay attention to onward transfers more than in the past, to the specific statutes for sensitive data, and pay a lot of attention to the e-privacy regulation to be applied soon. It enters into force by May 25 next year as well.

Some regulation is likely to specify and complement existing provisions in the general regulations in the online world, so you will have substantive provisions, for instance, on cookies, on the protection of confidentiality, and on search engines, particularly with regard to consent.

I had a chance to discuss with your federal commissioner consent in the GDPR as compared to consent in the current directive. One of the major concerns for controllers is whether to collect once again a new consent by the data subject. The answer is that it depends on whether you respect the essence of the future provisions. Did you really collect freely given, specific, and informed indication of the data subject's wishes? Did you provide for an explicit consent to process sensitive data? Could you say that for data other than sensitive data consent is unambiguous? Therefore, you have to discuss which consent is unambiguous in the online world.

This is extremely important, because in case you cannot work on reliable consent anymore, you have to verify which other legal ground is to be...collected, with particular regard to the balance of interest and to legitimate interest.

There are two opinions by the current Article 29 Working Party, plus another one on purpose limitation. I think they may be considered in terms of priority now, with a view to see to what extent certain protections or safeguards for the data subject are effective in practice.

Perhaps it would also be relevant to share my views with you on profiling and mass information—

That's reciprocity. I am learning a lot also from you.

We've said in more than one “EDPS Opinion” that this is an area where we are partly disappointed. The GDPR is not in the form of my dreams, but it's the best we can achieve today. If we started today with a new process, I doubt we could get something better.

On children, the legislator has been less ambitious than expected. We have just one article in the GDPR. We are expecting a new provision with regard to online services in the e-privacy directive.

First of all, there is a fragmented approach in the EU with regard to the age of maturity, and the compromise was that the processing of personal data of a child shall be lawful where the child is at least 16 years old.

The approach is that the child be at least 16 years old. Below the age of 16, the processing is lawful only if and to the extent that consent is given or authorized by the responsible parent of the child.

The compromise was in the final sentence of paragraph 1 of article 8, which said that member states may authorize a lower age, provided that the lower age is not below 13 years.

The question is, how are you sure there's control to make a reasonable effort to verify that consent is given or authorized by the holder of parental responsibility? Also, how can you take into consideration available technologies? Here we suffer from the relationship between data collection and the rest of the legal system. Within the member states, apart from differences in considering whether a child is an adult or not, we have divergent approaches to contract law. This is why the GDPR says that the paragraph I mentioned shall not affect the contract law of those member states concerning the validity or the effect of a contract in relation to a child. So in the workplace you may have a different approach to the validity of the relevant contract for employment and the rules on data protection. This is part of our contradictions.

We said that in two formal “Opinions”, so I'm not now reinventing the wheel. We are here because of the difficulties in regulating, from a data protection viewpoint, an issue that is much bigger, and to speed up the process, perhaps. The approach of the legislator was to count more on the guidance by data protection authorities. So, I'm afraid we will continue working with a flexible approach. Perhaps it will be up to data collection authorities to identify reliable methods that stop content from being freely given, and to identify the relevant safeguards and suitable methods for age and verification.